Today the Internet's domain name system (DNS) remains one of the networks' weakest links. DNS is the Internet protocol that translates host names, like www.hotwired.com, into IP addresses, like 204.62.129.1. It's the phone book of cyberspace, but it's riddled with problems.
Others have chronicled the political problems that the domain name system's top-down structure has created. Most of these problems involve Network Solutions Inc. (aka InterNIC), which manages the .com, .mil, .edu, .gov, .net, and .org top-level domains. NSI has been criticized for its handling of trademark disputes involving domain names and allegedly monopolistic practices.
What's worse, the domain name system is fundamentally insecure. By transmitting rogue packets to a computer, a hacker or information terrorist can confuse that machine, cajoling it into contacting one machine on the Internet when it means to reach another. Under certain conditions, a hacker can use DNS spoofing to break into a computer. DNS spoofing can be used to redirect or steal electronic mail, intercept pages sent over the World Wide Web, or impersonate other Web surfers. It's easy, untraceable, and becoming more common all the time.
Over the past few years, a working group of the Internet Engineering Task Force has developed an improved DNS - called DNSSEC - that solves the protocol's underlying security problems. The Department of Defense's Internet Infrastructure Protection program funded the technical work, which was in turn carried out by Trusted Information Systems. That organization has made a working implementation of the protocol freely available for download.
DNSSEC uses public key encryption and digital signatures to certify every address that's resolved by the DNS system. Each domain is assigned a public key. When your computer looks up a host in a particular domain, it checks the signature on the host's response. This eliminates spoofing; the bad guys can still send you a bogus response, but they can't sign it with the matching private key.
Besides strengthening the domain name system, DNSSEC can function as a database for distributing public keys. "Currently there is no protocol defined for publishing and automatically obtaining a public key for a user, a Web site, etc. DNSSEC can be used for this," says EFF founder John Gilmore, who is helping with the effort. "The keys themselves can be VeriSign keys, DNSSEC keys, Elliptic Curve encryption keys, or whatever."
Getting the Internet to adopt DNSSEC is a three-step process, says Donald Eastlake, secretary of the DNSSEC working group. First, network administrators and webmasters need to create public keys and secret keys for their Internet domains, and store those keys in their DNS servers. Second, they must modify their nameservers so they provide signed responses whenever a DNS query is made. Finally, the major server software companies must modify the resolves - the programs that run on the desktop and translate domain names into IP addresses - to verify those signatures. But no company I am aware of has announced plans to incorporate DNSSEC into its DNS resolves.
Signature verification also requires use of the RSA patent, and RSA Data Security hasn't yet given its go-ahead.
But what's most disturbing is that few people in the computer industry - even those who work with computer security - have even heard about DNSSEC. It will have to gain a higher profile before it will fly.
